Dear list,
I'm currently tinkering with adding host attributes (As custom attrs, or for the moment into the description field). My intention is to then read these from the host in order to define some local behaviour for scripts or puppet.
Example - a concept of machine ownership, or device class for local scripts or puppet to know about.
The two ways I've thought of so far entail
- having the CLI tools installed to run IPA commands, or - kinit -kt /etc/krb5.keytab followed by ldapsearch to read in the parts I'm interested in.
It occurred to me that sssd or some other components I understand less well might already be able to trivially read the host data IPA holds, or that the kinit might not be needed given the machine can already read out getent aprts direct from LDAP/IPA values with a non network account in use.
Any ideas or suggestion around this so I don't reinvent the wheel?
Kind regards,
David
Hi again,
Just a little nudge to see if anyone has attempted any of the prior mentioned, or if they may have ideas on how this is best achieved..
Kind regards,
David
On 27 March 2018 at 16:22, David Harvey davidcharvey@googlemail.com wrote:
Dear list,
I'm currently tinkering with adding host attributes (As custom attrs, or for the moment into the description field). My intention is to then read these from the host in order to define some local behaviour for scripts or puppet.
Example - a concept of machine ownership, or device class for local scripts or puppet to know about.
The two ways I've thought of so far entail
- having the CLI tools installed to run IPA commands, or
- kinit -kt /etc/krb5.keytab followed by ldapsearch to read in the
parts I'm interested in.
It occurred to me that sssd or some other components I understand less well might already be able to trivially read the host data IPA holds, or that the kinit might not be needed given the machine can already read out getent aprts direct from LDAP/IPA values with a non network account in use.
Any ideas or suggestion around this so I don't reinvent the wheel?
Kind regards,
David
On ti, 27 maalis 2018, David Harvey via FreeIPA-users wrote:
Dear list,
I'm currently tinkering with adding host attributes (As custom attrs, or for the moment into the description field). My intention is to then read these from the host in order to define some local behaviour for scripts or puppet.
Example - a concept of machine ownership, or device class for local scripts or puppet to know about.
The two ways I've thought of so far entail
- having the CLI tools installed to run IPA commands, or
- kinit -kt /etc/krb5.keytab followed by ldapsearch to read in the parts
I'm interested in.
It occurred to me that sssd or some other components I understand less well might already be able to trivially read the host data IPA holds, or that the kinit might not be needed given the machine can already read out getent aprts direct from LDAP/IPA values with a non network account in use.
Any ideas or suggestion around this so I don't reinvent the wheel?
While SSSD can be taught to read user-specific attributes by adding them in the configuration, the same cannot be done for host-specific attributes. So you are back to those two methods you outline above.
One note is that you'd need to add permissions to be able to read the attributes we don't explicitly allow for services/host principals. See https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ for details on how to achieve that. For plugin examples look at my github.com/abbra/ page for freeipa-* plugin repos.
Thank you, that's a great help.
One follow up question. Is there some way of cajoling ipa host-show into only displaying specific fields? Or is it better just to use ldapsearch with a suitable search filter (given both need to use the host or a service keytab if this is to be run by puppet). The fields I'm interested in (descriptions, platform, OS, Class) are thankfully available (at least using the host principal).
Kind regards,
David
On 14 May 2018 at 14:14, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 27 maalis 2018, David Harvey via FreeIPA-users wrote:
Dear list,
I'm currently tinkering with adding host attributes (As custom attrs, or for the moment into the description field). My intention is to then read these from the host in order to define some local behaviour for scripts or puppet.
Example - a concept of machine ownership, or device class for local scripts or puppet to know about.
The two ways I've thought of so far entail
- having the CLI tools installed to run IPA commands, or
- kinit -kt /etc/krb5.keytab followed by ldapsearch to read in the parts
I'm interested in.
It occurred to me that sssd or some other components I understand less well might already be able to trivially read the host data IPA holds, or that the kinit might not be needed given the machine can already read out getent aprts direct from LDAP/IPA values with a non network account in use.
Any ideas or suggestion around this so I don't reinvent the wheel?
While SSSD can be taught to read user-specific attributes by adding them in the configuration, the same cannot be done for host-specific attributes. So you are back to those two methods you outline above.
One note is that you'd need to add permissions to be able to read the attributes we don't explicitly allow for services/host principals. See https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ for details on how to achieve that. For plugin examples look at my github.com/abbra/ page for freeipa-* plugin repos.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On ma, 14 touko 2018, David Harvey wrote:
Thank you, that's a great help.
One follow up question. Is there some way of cajoling ipa host-show into only displaying specific fields? Or is it better just to use ldapsearch with a suitable search filter (given both need to use the host or a service keytab if this is to be run by puppet).
If you only need them, just use ldapsearch. There is no way to control what fields returned by IPA CLI -- it is a default set or everything (--all).
The fields I'm interested in (descriptions, platform, OS, Class) are thankfully available (at least using the host principal).
Good.
Kind regards,
David
On 14 May 2018 at 14:14, Alexander Bokovoy abokovoy@redhat.com wrote:
On ti, 27 maalis 2018, David Harvey via FreeIPA-users wrote:
Dear list,
I'm currently tinkering with adding host attributes (As custom attrs, or for the moment into the description field). My intention is to then read these from the host in order to define some local behaviour for scripts or puppet.
Example - a concept of machine ownership, or device class for local scripts or puppet to know about.
The two ways I've thought of so far entail
- having the CLI tools installed to run IPA commands, or
- kinit -kt /etc/krb5.keytab followed by ldapsearch to read in the parts
I'm interested in.
It occurred to me that sssd or some other components I understand less well might already be able to trivially read the host data IPA holds, or that the kinit might not be needed given the machine can already read out getent aprts direct from LDAP/IPA values with a non network account in use.
Any ideas or suggestion around this so I don't reinvent the wheel?
While SSSD can be taught to read user-specific attributes by adding them in the configuration, the same cannot be done for host-specific attributes. So you are back to those two methods you outline above.
One note is that you'd need to add permissions to be able to read the attributes we don't explicitly allow for services/host principals. See https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ for details on how to achieve that. For plugin examples look at my github.com/abbra/ page for freeipa-* plugin repos.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
David Harvey